
\documentclass[12pt, A4]{article}
\usepackage{enumerate}
\usepackage{amsmath}
\usepackage{graphicx}

%\numberwithin{equation}

\begin{document}
%
% paper title
% can use linebreaks \\ within to get better formatting as desired
\title{Novel Untraceable Authenticated Key Agreement Protocol Using Smart Cards}


\author{Chin-Chen Chang, Hao-Chuan Tsai, Hai-Duong Le,Chin-Hsiang Chang}% <-this % stops a space







% make the title area
\maketitle


\begin{abstract}
%\boldmath
The abstract goes here.
\end{abstract}

\section{Introduction}

\section{Li et al's scheme}

In this section, we review Li et al's scheme in brief. The scheme has totally five phases: parameter generation, registration, precomputation, log-in and password-changing. 

\subsection{Parameter generation}
Li et al's scheme is based on hash function, symmetric encryption and elliptic curve discrete logarithm problem. The system needs to generates the following parameters:
\begin{itemize}
\item First, the server chooses a large prime $p$ and two field elements $a \in Z_p$ and $b \in Z_p$, where $a$ and $b$ must satisfy $4a^3+27b^2\pmod p$.
\item The server then finds a generator point $G$ of large order.
\item The server selects a random number $x$ as its private.
\item Lastly, the server computes the public key $P_S=xG$ and publishes the parameters $\{P_S, p, E_p,G\}$.
\end{itemize}

There are some assumptions regarding the sizes of the parameters used in the scheme as follows.
\begin{itemize}
\item Both the block size of the block cipher $E_s(\cdot)$ and the output of hash function $h(\cdot)$ are 128 bits.
\item The sizes of user identity $ID$ and card identity $CI$ are both 32 bits.
\item The sizes of all the random numbers used in the system are 64  bits.

\end{itemize}
\subsection{Registration phase}
The registration phase is performed once for each user in the following steps.
\begin{enumerate}[Step 1]
\item A user $U$ with identity $ID$ chooses a pasword $PW$, a random number $b$ and a random nonce $N_0 \in_R \{0,1\}^{64}$ . Then, he gives $\{ID, h(PW\|b),N_0\}$ to the server $S$ for registration. 

\item After receiving $\{ID, h(PW\|b), N_0\}$, the server creates the card identity $CI$, which is the number of the card issued to the user. The server stores $\{ID, CI, N_0\}$ in the server's registration table. $S$ issues the card to the user $U$; the card contains the following information: 

$$\{b^{N_0}_{ID}, V_{ID},ID,CI\}$$ \\
where
$$TAG_0= h((ID\|CI\|N_0)\|((ID\|CI\|N_0) \oplus h(PW\|b)))$$
$$b^{N_0}_{ID}=E_s((ID\|CI\|N_0)\|((ID\|CI\|N_0) \oplus h(PW\|b))\|TAG_0)$$
$$V_{ID}=h(ID\|s\|CI)$$

\item Upon receiving the card, the user $U$ stores $b$ into the card memory; therefore, the card memory contains  $\{ID, CI, N_0,b\}$
\end{enumerate}

\subsection{Precomputation phase}
In this phase, the smart card computes $e = rG, c=rP_s=rxG$ as points over $E_p$, where $r$ is a random number. $r$ and $c$ are stored in smart card memory for later use in authenticated key agreement.

\subsection{Log-in phase}
In order to authenticate with the server, user inserts his smart card into card reader and keys in his password. Then, the user's system communicates with the server to established authentication and key agreement as follows.
\begin{enumerate}[Step 1]
\item The card chooses a nonce $N_1 \in_R {0,1}^{64}$, and sends $\{b^{N_0}_{ID},E_{V_{ID}}(N_1\|e)\}$ to the server.
\item Upon receiving $\{b^{N_0}_{ID},E_{V_{ID}}(N_1\|e)\}$, the server $S$ obtains $ID,CI,N_0,h(PW\|b)$ by decrypting $b^{N_0}_{ID}$ and validates $\{ID,CI,N_0\}$ against the registration table. If $b^{N_0}_{ID}$ is valid, the server decrypts $E_{V_{ID}}(N_1\|e)$ to gains $N_1$ and $e$. Then, the server updates registration table by replacing $N_0$ with $N_1$; the entry for user $U$ in registration table becomes $\{ID,CI,N_1\}$. The server selects $u \in_R {0,1}^{64}$, and computes $$c=xe$$ and $$M_S=h(c\|u\|V_{ID})$$ 
Next, server sends to the card the message $\{Nb1, u \oplus h_{64}(b^{N_1}_{ID}),M_S\}$, where $h_{64}(b^{N_1}_{ID})$ is the first 64 bits of $h(b^{N_1}_{ID})$ and\\
$$TAG_1=h((ID\|CI\|N_1)\|((ID\|CI\|N_1) \oplus h(PW\|b)))$$
$$b^{N_1}_{ID}=E_s((ID\|CI\|N_1)\|((ID\|CI\|N_1) \oplus h(PW\|b))\|TAG_1)$$
$$Nb1=b^{N_1}_{ID} \oplus (h(N_1\|e\|1)\|h(N_1\|e\|2)\|h(N_1\|e\|3))$$

\item The smart card obtains $b^{N_1}_{ID}$ from $Nb1$ with the knowledge of $N_1$ and $e$. The card also derives $u$ from $u \oplus h_{64}(b^{N_1}_{ID})$; then, it verifies whether $h(c\|u\|V_{ID})$ is equal to $M_S$. If it is true, the card sends $M_U=h(h(PW\|b)\|V_{ID}\|c\|u)$ to server for authenticating itself.

\item The server verifies whether $M_U \stackrel{?}{=}h(h(PW\|b)\|V_{ID}\|c\|u)$ holds. If it holds, the server accepts the log-in request of user $U$. Thus,  the smart card and the server successfully authenticate each other and share a session key $k=h(V_ID\|c\|u)$.

\end{enumerate}

\subsection{Password changing phase}
Before changing password, a user needs to log-in and shares a session key with the server. The user chooses a new password $PW^*$ and a random string $b^*$. The card sends password-changing message $\{E_k((ID\|CI\|N^*)\|h(PW*\|b^*))\}$ to server, where $N^* \in_R {0,1}^{64}$.  The server derives $ID, CI,N^*,h(PW^*\|b^*)$ ; then, $S$ updates the entry $\{ID,CI,N\}$ in registratrion table with $\{ID,CI,N^*\}$. Next, the server sends to the user a response containing $\{E_k(b^{N*}_{ID}\|ID\|CI\|N^*)\}$, where
$$TAG^*=h((ID\|CI\|N^*)\|((ID\|CI\|N^*) \oplus h(PW^*\|b^*)))$$
$$b^{N^*}_{ID}=E_s((ID\|CI\|N^*)\|((ID\|CI\|N^*) \oplus h(PW^*\|b^*))\|TAG^*)$$

Upon receiving the server's response, the card decrypts and verifies the response. After that, it replaces $b^{N}_{ID}$,$b$ with the newly derived values $b^{N^*}_{ID}$,$b^*$ in the card memory.
\section{The proposed scheme}
In this section, we propose a new scheme that overcomes the flaws and weaknesses in Wang et al's scheme. The proposed scheme consists of four phases: parameter generation phase, registration phase, login and verification phase, and password changing phase.

\subsection{Parameter generation phase}
In our scheme, server selects a random number $x$, where $x\in Z_p$, as its secret key. In addition, a cryptographic hash function is chosen by the server. The  hash function $h(\cdot)$ is a one-way hash function. 

\subsection{Registration phase}
\begin{enumerate}[Step 1]
\item  A new user $U_i$ submits his identity $ID_i$ to server $S$ for registration.
\item After receiving $ID_i$ from  $U_i$, server $S$ generates random number $r$ and computes the following parameters:
\begin{itemize}
\item $V = h(r\|ID_i\|x) \oplus h(pw_{ini})$, where $x$ is the server's secret key. $pw_{ini}$ is just a initial password given to user by server. When recieving the smart card, user needs to perform smart card activation procedure in which user will change the password from initial password to his own password.
\item $IM = E_{x}(ID_i\|r)\oplus  h(pw_{ini})$, where $E_{x}()$ is a symmetric encryption function with secret key $x$.
\item Server writes $\{V,IM\}$ into a smart card and issues the smart card to $U_i$ together with the initial password $pw_{ini}$.
\end{itemize}

\item When $U_i$ receives the smart card, he performs smart card activation and changes password. $U_i$ inserts the smart card into card reader, then he keys in the initial password $pw_{ini}$ and his new password $pw_i$. The smart card computes  $V_{new} = h(r\|ID_i\|x) \oplus h(pw_i)$ and $IM_{new} = E_{x}(ID_i\|r)\oplus h(pw_i)$. Values of $V,IM$ will be replaced by values of $V_{new},IM_{new}$ respectively in the smart card's memory.
\end{enumerate}

\subsection{ Login and verification phase}
When user $U_i$ wants to login the server $S$, he inserts his smart card into the card reader and keys in his password $pw_i$. Then the smart card executes the following procedure:
\begin{enumerate}[Step 1] 
\item First, the smart card generates a random number $r_1$ and computes $T_1=IM\oplus h(pw)$ is equal to $E_{x}(ID_i\|r)$.Then, it delivers $\{T_1,r_1\}$ to the server.
\item Upon receiving the login request message, $S$ uses its secret key $x$ to decrypt $T_1$, $D_x(T_1)=ID_i\|r$. $S$ generates two random numbers $ r' $ and $r_2$, it performs the following computation:
\begin{itemize}
\item $T_2 = E_x(ID_i\|r')\oplus r_2$.
\item $K_{auth}=h(r\|ID_i\|x)$
\item $T_3= {E_{K}}_{auth}(r_1\oplus r_2\|h(E_x(ID_i\|r'))\|h(r'\|ID_i\|x))$
\item $S$ send message of \{$T_2$, $T_3$\} to $U_i$'s smart card.
\end{itemize}
\item When receiving $\{T_2, T_3\}$ from $S$, the smart card computes $K_{auth}= V \oplus h(pw_i)$. Using the newly computed key $K_{auth}$, $U_i$ decrypts $T_3$, $D_{K_{auth}}(T_3) = r_1\oplus r_2 \| h(E_x(ID_i\|r')\| h(r'\|ID\|x)$. Then $U_i$ verifies $h(E_x(ID_i\|r'))$. If $h(E_x(ID_i\|r'))$ is correct, $U_i$ is assured of integrity and origin of  $T_2,T_3$; otherwise, the card reader will terminate the login process and report failed login.

The card reader computes:
\begin{itemize}
\item $V_{new}= h(r' \| ID_i \|x) \oplus h(pw_i)$ and $IM_{new}= T_2 \oplus r_2 \oplus h(pw_i)$, where $h(r'\|ID_i\|x)$ and $r_2$ are obtained from the prevous decryption of $T_3$. Then, the card reader replace $V$, $IM$ by $V_{new}$ respectively in the smart card's memory.
\item the new session key $K_{SU} = h(r_1\|r_2)$ 
\item $T_4 = h(r_2 + 1)$
\end{itemize}
The card reader send $\{T4\}$ to server $S$.

\item Upon receiving \{$T_4$\}, $S$ checks whether $T_4$ is equal to $h(r_2+1)$. If it is correct, $S$ successfully authenticates $U_i$ and it computes the session key $K_{SU}$.

After the previous step, $S$ and $U_i$ have successfully athenticated each other and shared a seession key $K_{SU}$ for subsequent communication.
\end{enumerate}

\subsection{Password changing phase}
When a user $U_i$ wants to change his password, he inserts his smart card into card reader and enters his current password $pw_i$. First, the card reader tries to authenticates the user against the server $S$. If the authentication is successful, the smart card then requests $U_i$ to keys in his new password $pw_{new}$. Since $S$ limits the number of failed logins, getting $U_i$ authenticated before changing his password will prevent brute force password attacks.

Once $U_i$ is authenticated, the card reader computes $V' = h(r\|ID_i\|x) \oplus h(pw_{new})$ and $IM' = E_{x}(ID_i\|r)\oplus  h(pw_{new})$, and then replace $V$, $IM$ by  $V'$, $IM'$ respectively in the smart card's memory. Now, $U_i$ has successfully change his password.


\section{Conclusion}
The conclusion goes here.

\end{document}



